---
layout: docs
page_title: Domain Model - Credential Libraries
description: |-
  The anatomy of a Boundary credential library
---

# Credential Libraries

A credential library is a resource that provides [credentials][] of the same type and same access level from a single [credential store][].

## Attributes

A credential library has the following configurable attributes:

- `name` - (optional) If you set this attribute, the `name` must be unique within the credential library's parent [credential store][].

- `description` - (optional) A user-defined description of the credential library for identification purposes.

### Vault generic credential library attributes

The generic Vault credential library has the following additional attributes:

- `path` - (required) The path in Vault to request credentials from.

- `http_method` - (optional) The HTTP method the library uses when requesting credentials from Vault.
Can be either `GET` or `POST`.
The default value is `GET`.

- `http_request_body` - (optional) The body of the HTTP request the library sends to Vault when requesting credentials.
Only valid if `http_method` is set to `POST`.

### Vault SSH certificate credential library attributes<sup>HCP Only</sup>

As of Boundary 0.12.0, you can configure SSH credential injection using [Vault's SSH secrets engine](/vault/docs/secrets/ssh) to create the SSH certificate credentials.
SSH certificate-based authentication extends key-based authentication using digital signatures.
Your users' authenticity is determined by a certificate signed by a trusted certificate authority (CA).
You can configure Vault's SSH secrets engine to act as the CA.

SSH certificates let you specify how long they are valid for, who can gain access to a target host, how users can log in, and what commands can be used on the target machine.
Unlike SSH key pairs, SSH certificates are short-lived and self-destructive.

A Vault SSH certificate credential library has the following additional attributes:

<Note>

The certificate is issued for the entire session, so if the `ttl` value is shorter than the target's `session_max_seconds` value, later connections may fail.
To prevent failures, you should ensure that the `ttl` value is equal to or longer than the target's `session_max_seconds`.
Alternatively, you could set the `session_connection_limit` to `1` for any targets that use the credential library.

</Note>

- `path` - (required) The path in Vault to request credentials from.

- `username` - (required) The username to use with the SSH certificate.
You can create a template for this value using [Vault credential library parameter templating](#vault-credential-library-parameter-templating).

- `key_type` - (optional) The type of key to use for the generated SSH private key.
The key type is either `ed25519`, `ecdsa`, or `rsa`.
The default key type is `ed25519`.

- `key_bits` - (optional) The number of bits used to generate the SSH private key.
The number of bits depends on the `key_type` value you select:
  - For an `ed25519` key type, you should not set the `key_bits` value.
  - For an `ecdsa` key type, you can select either `256`, `384`, or `521`.
  - For an `rsa` key type, you can select either `2048`, `3072`, or `4096`.

- `ttl` - (optional) The SSH certificate's time-to-live (TTL).

- `key_id` - (optional) The key ID for the created SSH certificate.

- `critical_options` - (optional) Any critical options that the certificate should be signed for.
For more information, refer to the [list of critical options](https://github.com/openssh/openssh-portable/blob/5f93c4836527d9fda05de8944a1c7b4a205080c7/PROTOCOL.certkeys#L221-L269) supported by OpenSSH.

- `extensions` - (optional) Any extensions that the certificate should be signed for.
For more information, refer to the [list of extensions](https://github.com/openssh/openssh-portable/blob/5f93c4836527d9fda05de8944a1c7b4a205080c7/PROTOCOL.certkeys#L270-L319) supported by OpenSSH.
Note that the `permit-pty` value should be set for an interactive shell to function properly.

### Vault credential library parameter templating

Sometimes it can be useful to provide information about a Boundary user or account when making a call to Vault. For example, this can allow picking the correct role when asking for database credentials (if roles are separated per-user), or providing a value to encode in an X.509 certificate generated by Vault. As of Boundary 0.11.1, you can template user and account information into either the path in Vault, the `POST` request body, or both.

The following Vault template parameters are supported in Boundary.
Note that account values are tied to the account associated with the token used to make the call:

- `{{.User.Id}}` - The user's ID.
- `{{.User.Name}}` - The user's name from the user resource.
- `{{.User.FullName}}` - The user's name from the account corresponding to the primary auth method in the user's scope.
This value may not be populated, or it may be different from the account name used in the template.
- `{{.User.Email}}` - The user's email address from the account corresponding to the primary auth method in the user's scope.
This value may not be populated, or it may be different from the account name used in the template.
- `{{.Account.Id}}` - The account's ID.
- `{{.Account.Name}}` - The name of the account from the account resource.
- `{{.Account.LoginName}}` - The account's login name, if a login name is used by that type of account.
- `{{.Account.Subject}}` - The account's subject, if a subject is used by that type of account.
- `{{.Account.Email}}` - The account's email, if email is used by that type of account.

Additionally, there is currently a single function that strips the rest of a string after a specified substring.
This function is useful for pulling a user or account name from an email address.
The following example turns `foo@example.com` into `foo`:

`{{truncateFrom .Account.Email "@"}}`

The example above uses the account email, but it could be any other parameter.

## Referenced by

- [Credential][]
- [Credential Store][]
- [Target][]

[credential store]: /boundary/docs/concepts/domain-model/credential-stores
[credential stores]: /boundary/docs/concepts/domain-model/credential-stores
[credential]: /boundary/docs/concepts/domain-model/credentials
[credentials]: /boundary/docs/concepts/domain-model/credentials
[project]: /boundary/docs/concepts/domain-model/scopes#projects
[projects]: /boundary/docs/concepts/domain-model/scopes#projects
[target]: /boundary/docs/concepts/domain-model/targets
[targets]: /boundary/docs/concepts/domain-model/targets

## Service API docs

The following services are relevant to this resource:

- [Credential Library Service](/boundary/api-docs/credential-library-service)
